Kobeissi is quick to point out, both in conversation and on every page of the website, that Cryptocat is not a perfect solution for every scenario. The goal has always been to strike a balance between easy user experience and security. He has been transparent about the bugs that have been discovered along the way as the Cryptocat project has grown, and he invites more people to check his open-source code for errors, plying them with T-shirts, stickers, and credit. The warning on the Cryptocat homepage is worth quoting in full, as it shows both how high the stakes are for some internet users around the world and how seriously Kobeissi takes his responsibility:
Cryptocat is not a magic bullet. Even though Cryptocat provides useful encryption, you should never trust any piece of software with your life, and Cryptocat is no exception.
Cryptocat does not anonymize you: While your communications are encrypted, your identity can still be traced since Cryptocat does not mask your IP address. For anonymization, we highly recommend using Tor.
Cryptocat does not protect against key loggers: Your messages are encrypted as they go through the wire, but that doesn’t mean that your keyboard is necessarily safe. Cryptocat does not protect against hardware or software key loggers which might be snooping on your keyboard strokes and sending them to an undesired third party.
Cryptocat does not protect against untrustworthy people: Parties you’re conversing with may still leak your messages without your knowledge. Cryptocat aims to make sure that only the parties you’re talking to get your messages, but that doesn’t mean these parties are necessarily trustworthy.
To mitigate those potential gaps in Cryptocat’s security scheme, Kobeissi suggests that people can use Cryptocat in conjunction with Tor, which will provide IP anonymity and a censorship-workaround, and secret-question authentication, which can help assure them that they’re talking to the right people behind the usernames.
At a recent journalism-security workshop at Columbia’s Tow Center, several trainers jokingly referred to Cryptocat as “the gateway drug of encryption,” saying that it was an easy way for people to start understanding safe communication before moving on to even more complex and secure channels. When asked what he thinks about that characterization, and what “drug” he thinks users should move on to after they’ve gotten the hang of Cryptocat, Kobeissi laughs but then offers a different take.
“Honestly, I think it should be the other way around. I think the services themselves should move towards the user, not the user towards the services,” Kobeissi says. “People aren’t willing to move into these technologies that are essentially, at their very core, inaccessible. So the smarter thing to focus on would be for the services themselves becoming more accessible to the people.”